[19579] in Kerberos_V5_Development
Re: krb5 commit: Modernize UTF-8/UCS-2 conversion code
daemon@ATHENA.MIT.EDU (Stefan Metzmacher)
Tue Apr 18 04:32:29 2017
To: Greg Hudson <ghudson@mit.edu>, Robbie Harwood <rharwood@redhat.com>
From: Stefan Metzmacher <metze@samba.org>
Message-ID: <4fc839eb-c47b-5762-6c8a-5c88e94f00e4@samba.org>
Date: Tue, 18 Apr 2017 10:32:06 +0200
MIME-Version: 1.0
In-Reply-To: <e81f8b54-8eff-3aaf-599a-5d86804a07db@mit.edu>
Cc: krbdev@mit.edu
Content-Type: multipart/mixed; boundary="===============3525779385660250943=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3525779385660250943==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="HdWsD9UtvfXBdg5ueK60DEcXFSDasePNk"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--HdWsD9UtvfXBdg5ueK60DEcXFSDasePNk
Content-Type: multipart/mixed; boundary="B42EERaxspcTDQuCSHVWqG8U1Rt7G4Tca";
protected-headers="v1"
From: Stefan Metzmacher <metze@samba.org>
To: Greg Hudson <ghudson@mit.edu>, Robbie Harwood <rharwood@redhat.com>
Cc: krbdev@mit.edu
Message-ID: <4fc839eb-c47b-5762-6c8a-5c88e94f00e4@samba.org>
Subject: Re: krb5 commit: Modernize UTF-8/UCS-2 conversion code
References: <201704171858.v3HIwVhW013893@drugstore.mit.edu>
<c294c45e-6d55-063c-be21-0316e07bf81c@samba.org>
<e81f8b54-8eff-3aaf-599a-5d86804a07db@mit.edu>
In-Reply-To: <e81f8b54-8eff-3aaf-599a-5d86804a07db@mit.edu>
--B42EERaxspcTDQuCSHVWqG8U1Rt7G4Tca
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Am 17.04.2017 um 21:53 schrieb Greg Hudson:
> On 04/17/2017 03:24 PM, Stefan Metzmacher wrote:
>> is there a reson why you still limit this to USC-2 and not use full UT=
F16
>> support?
>=20
> This commit was just trying to eliminate warnings, not change the
> functionality.
Ok, "Modernize UTF-8/UCS-2 conversion code" indicated a more or less
rewrite of the code to me. As it's not you may just ignore this topic
for now.
> This code originally came from OpenLDAP's utf-8-conv.c, and was
> incorporated with the goal of Windows compatibility (for PACs and RC4
> string-to-key). If Windows now supports UTF-16 then we could consider
> extending it, but I wouldn't want to do so without confirmation of that=
=2E
I think Windows always supported UTF-16 instead of USC-2, at least it
did for the last 10 years (at least for passwords).
>> We had a lot of trouble with the limited unicode support of krb5 libra=
ries
>> in Samba recently, see https://bugzilla.samba.org/show_bug.cgi?id=3D12=
262
The core of the problem is that Windows uses an random buffer as machine
password,
and interprets it as UTF16 (which is not always valid UTF-16).
The MD4 of the raw buffer is the NTHASH/RC4-key.
In order to calculate the AES-keys the buffer is converted to (valid)
UTF-8 first.
The following rules are applied to the raw buffer first:
1) any 0x0000 characters are mapped to 0x0001
2) convert any instance of 0xD800 - 0xDBFF (high surrogate)
without an immediately following 0xDC00 - 0x0xDFFF (low surrogate) to
U+FFFD (OBJECT REPLACEMENT CHARACTER).
3) the same for any low surrogate that was not preceded by a high surroga=
te.
Windows stores the raw buffer as master copy of the password,
while Samba currently stores the UTF-8 password.
If we pass the UTF-8 to the krb5 libraries we may calculate a different
NTHASH,
because the transition from the random (UTF-16-like) buffer to valid UTF-=
8
and back to valid UTF-16 looses information.
So our current solution is limiting the machine password to valid utf-8,
with codepoints up to 0xffff.
In future we may try to do pass a keytab instead of password to the krb5
libraries
and calculate the keys ourself in order to avoid these problems.
So there's currently no immediate action required.
metze
--B42EERaxspcTDQuCSHVWqG8U1Rt7G4Tca--
--HdWsD9UtvfXBdg5ueK60DEcXFSDasePNk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJY9c8JAAoJEA219WEoab1Wc5sP/jwU1pzeqwd6qbBiiCs3aFfr
IlKDmapmoxD+iWjxL48Olz83tFGbVJ0s/2xM9GDVQGCV+U5zSeiXfn4q9fxP2RpQ
oXd4806GYJtRF2gGom2sOEzaWB1dXgIB42aGljsujGF+i+snl/v85CD8bzp9wX/b
kcODAe7hldVhfVxrfMTV0YE9rgYUDhm58oS+zFzHHSKuVUjtY8hDlCXlhIUJY2Qw
6lZVUjp0aptD7LCrMFxyuo3LElYzbVaVkf+oof4AdjeziL09sbMB/YY9y9Gp2WYX
X+Gonf2YHLCpAlO0k5VLNWkpH5Po4QICzMtAMhUB/rKubXJBbrheCqO4e6dvXQGe
II/qDZvs19agj3Mba8aGnst6hUiab6FjnjT3qMeF0hxPjluv7SxkFTAEgZ1QPWbe
Lq0q7BmrVY7jPjDvejgZoaqN0KltDHWZrLXtCRPBjwQTNtsuxzVbP2pNzSuAunJb
WmRhZPNjI7fSI1kGJoj4XTCQP5EeCXTaVBDdaaAwSiTXtxhwUEByAdfiBINpjvUd
/hmcG3+AuGQIS+3gkEBHMYO1NKh/+XaDIWf4cr2d7BfKElSlblqgx8zdwoN+XnTI
7PiwHskNHGpkTm+OEoV4k34kSo+z56NoJgjhi+NcSVTrNA7is8mSk38f0mZeIA2K
C4lNiK8Ha6WbuFM0Qji6
=cByY
-----END PGP SIGNATURE-----
--HdWsD9UtvfXBdg5ueK60DEcXFSDasePNk--
--===============3525779385660250943==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============3525779385660250943==--